Regulating IoT Cybersecurity – What Could Smart Government Involvement Look Like?

In a rare move, Cybersecurity experts recently asked the US government to enforce regulations mandating that all internet-connected devices have built-in security; otherwise, US could soon face a disastrous cyber-attack.

This demand was raised in a US congressional hearing held by the members of the House Energy and Commerce Committee, which examined how millions of infected internet-connected devices took down parts of the internet on October 21, 20161.

“I'm not a regulatory fan. But this is the world of dangerous things. The choice is not between government involvement and no government involvement. It's between smart government involvements versus stupid government involvement." Bruce Schneier, one of the world's leading computer security experts, told the congressional hearing1.

So what could a Smart Government involvement look like?

Due to the uniqueness, complexity, exponential growth and global footprint of IoTs in the Cyber world, smart government involvement will most likely be a multi-faceted effort; manifesting itself in various forms including smart regulations, economic incentives, and increased stakeholder awareness in order to achieve its policy objectives.

Government may institute a comprehensive IoT cybersecurity regulation by using a combination of Performance-based & Co-regulation models. From a Co-regulation perspective, it may involve target groups to have a say in the preparation, implementation and management of the policy. Whereas, from a Performance-based perspective, it may keep to the essentials, defining the outcome of the objectives of the regulation but not the process a regulated party should follow to achieve that objective.

The regulations may manifest themselves in the form of minimum set of Cybersecurity standards (for IoTs) which the government can develop in close collaboration with the private-sector. One of the ways this collaboration may materialize is the formation of a consortium of public and private sector organizations such as NIST, IETF, NSF, major tech companies, think tanks, etc. working together to formulate principles-based standards that could require IoT manufacturers and related software vendors to incorporate security controls from the ground up but leaving it up to the manufacturers and vendors to figure out how to achieve them. One important aspect of standard making could also be to make them flexible enough so they are able to meet future demands and rapidly growing sophistication of the hackers. It is important to note that public and private sector collaboration on promoting secure technologies already exist to some extent. An example of which is the partnership between the National Cyber Security Center of Excellence (NCCoE) and a variety of US technology companies such as IBM, Fireeye, Cisco, etc.

Secondly, the government may also consider using economic tools for achieving its policy objectives. The use of economic tools, such as tax subsidies, research funding, tariffs and permits has an advantage of reducing market disruption in comparison to other regulatory forms. Such economic tools offer the potential for efficiency gains for two reasons. Firstly, they allow businesses to achieve a policy objective at the lowest cost possible. Secondly, innovation and technological changes are encouraged to achieve the mandated policy objectives2.

For example, government may consider increasing allocation of resources to enhance and expand cybersecurity research initiatives such as the one led by Department of Homeland Security as part of the 2003 President’s National Strategy to Secure Cyberspace. Government may also look into either establishing or endorsing an industry standard with a seal of approval or a security rating system for devices or software which could encourage companies and consumers to buy more secure IoT devices, thereby creating an economic inventive for the vendors. Other examples may include, limiting sales of devices in the US that do not meet the standards. This may incentivize vendors to fundamentally improve the security of their devices for everyone with a global impact. Government may also look into offering subsidies or tax breaks for US manufacturers who meet or exceed the US cybersecurity standards for IoTs.

Lastly, government may look into increasing public awareness of cybersecurity for IoTs which can compensate for the information asymmetry citizens and businesses may be confronted with. This may enable consumers of IoTs to take rational decisions which correspond closely with their preferences. Government may also attempt to improve cybersecurity by increasing public visibility of companies with weak security; an existing example of this is the California Notice of Security Breach Act. Furthermore government may look into criminalizing cyber-attacks to further discourage cyber-attacks and to increase public awareness.

Sources:

1: http://money.cnn.com/2016/11/16/technology/cybersecurity-regulation-congress/

2: OECD Regulatory Policy - Annex II - Regulatory Alternatives